The Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity entry management vulnerability, to realize unauthorized entry to SonicWall gadgets.
The hackers are leverging the safety concern to realize entry to focus on networks through unpatched SonicWall SSL VPN endpoints.
SonicWall launched a patch for CVE-2024-40766 final 12 months in August, marking it as actively exploited. The flaw permits unauthorized useful resource entry and might trigger firewall crashes.
On the time, SonicWall strongly advisable that making use of the replace ought to be accompanied by a password reset for customers with domestically managed SSLVPN accounts.
With out rotating the passwords after the replace, menace actors may use uncovered credentials for legitimate accounts to configure the multi-factor authentication (MFA) or time-based one-time sassword (TOTP) system and acquire entry.
Akira was among the many first ransomware teams to actively exploit it in beginning September 2024.
An alert from the Australian Cyber Safety Heart (ACSC) yesterday warns organizations of the brand new malicious exercise, urging rapid motion.
“ASD’s ACSC is conscious of a latest improve in energetic exploitation in Australia of a 2024 crucial vulnerability in SonicWall SSL VPNs (CVE-2024-40766),” reads the advisory.
“We’re conscious of the Akira ransomware concentrating on susceptible Australian organizations by means of SonicWall SSL VPNs,” says the Australian Cyber Safety Centre.
Cybersecurity agency Rapid7 has made comparable observations, reporting that Akira ransomware assaults on SonicWall gadgets have not too long ago re-ignited, possible tied to incomplete remediation.
Rapid7 highlights intrusion strategies similar to exploiting the broad entry permission of the Default Customers Group to authenticate and connect with the VPN, and the default public entry permission for the Digital Workplace Portal on SonicWall gadgets.
It ought to be famous that this exercise has not too long ago generated confusion within the cybersecurity neighborhood, with many reporting that ransomware actors are actively exploiting a zero-day vulnerability in SonicWall merchandise.
The seller revealed a brand new safety advisory saying that it has “excessive confidence that the latest SSLVPN exercise will not be related to a zero-day vulnerability” and that it discovered “vital correlation with menace exercise associated to CVE-2024-40766.”
Final month, SonicWall famous that it was investigating as much as 40 safety incidents associated to this exercise.
CVE-2024-40766 impacts the next firewall variations:
- Gen 5: SOHO gadgets working model 5.9.2.14-12o and older
- Gen 6: Numerous TZ, NSA, and SM fashions working variations 6.5.4.14-109n and older
- Gen 7: TZ and NSA fashions working SonicOS construct model 7.0.1-5035 and older
System directors are advisable to observe the patching and mitigation recommendation supplied by the seller within the associated bulletin.
Admins ought to replace to firmware model 7.3.0 or later, rotate SonicWall account passwords, implement multi-factor authentication (MFA), mitigate the SSLVPN Default Teams threat, and limit Digital Workplace Portal entry to trusted/inside networks.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.
